Registry remotley hacked win 7 need help tracking the perp
Posted
by
user577229
on Server Fault
See other posts from Server Fault
or by user577229
Published on 2011-01-16T03:28:33Z
Indexed on
2011/01/16
5:56 UTC
Read the original article
Hit count: 314
I was writing some .VBS code at thhe office that would allow certain file extensions to be downloaded without a warning dialog on a w7x32 system.
The system I was writing this on is in a lab on a segmented subnet. All web access is via a proxy server. The only means of accessing my machine is via the internet or from within the labs MSFT AD domain.
While writing and testing my code I found a message of sorts. Upon refresing the registry to verify my code changed a dword, instead the message HELLO was written and visible in regedit where the dword value wass called for.
I took a screen shot and proceeded to edit my code. This same weird behavior occurred last time I was writing registry code except on another internal server.
I understand that remote registry access exists for windows systems. I will block this immediately once I return to the office.
What I want to know is, can I trace who made this connection? How would I do this?
I suspect the cause of this is the cause of other "odd" behaviors I'm experiencing at work such as losing control of my input director master control for over an hour and unchanged code that all of a sudden fails for no logical region.
These failures occur at funny times, whenver I'm about to give a demonstration of my test code. I know this sounds crazy however knowledge of the registry component makes this believable. Once the registry can be accessed, the entire system is compromised.
Any help or sanity checking is appreciated.
© Server Fault or respective owner